-------------------------------------------------------------
Title: Silly hardlink vulnerability in UNIX 'script' command
Linux version maintainer: Andries Brouwer (Andries.Brouwer@cwi.nl)
Bug found by: Marco van Berkum (m.v.berkum@obit.nl)
Date: 17-12-2001
Priority: low
-------------------------------------------------------------

Script command
--------------
The script command which is part of the util-linux
package (all UNICES are vulnerable, not only linux)
contains a silly hardlink vulnerability which could overwrite
any  file on the harddisk. Script is a tool to save terminal
sessions for later reference. By default script creates
a file called typescript for its log.


The problem
-----------
Very simple, script (when executed as root) overwrites
hardlinks that could be set by any user to any file on
the harddisk. For instance, a malicious user can place
a hardlink 'typescript' to /etc/passwd (or any other file)
in his home directory. If the root user would execute
script in that directory it would cause script to
overwrite that file. Script does check for symlinks and
asks if the symlink should be overwritten, it lacks
checking hardlinks.

Priority
--------
Low, its not likely that root users execute script
in a user's home directory. They could though, its
a minor problem that must be fixed for that reason.

Fix
---
The util-linux maintainer was notified and fixed the problem
in the next version. Still, all UNICES seem to have this
problem.

Just my 2 cents,
Marco van Berkum
--
 _________________________________________________________________
| Marco van Berkum  | m.v.berkum@obit.nl |  'Error #152           |
| Security Engineer | MB17300-RIPE       | Windows not found      |
| Network Admin     | http://ws.obit.nl  |(C)heer (P)arty (D)ance'|
 -----------------------------------------------------------------